Incorrect transitive dependencies for pkg:maven/commons-validator/[email protected]

[ishapirovArnica]

IDs

CVE-2019-10086

Description

Trivy incorrectly misses some transitive dependencies of the package commons-validator:[email protected]. One of these missing dependencies is the package commons-beanutils:[email protected] which has the associated vulnerability CVE-2019-10086.

If you view the pom.xml for the commons-validator:[email protected] you can see the commons-beanutils:[email protected] listed as a dependency.

Reproduction Steps

1. Create a simple pom.xml file which only contains the commons-validator:[email protected] package.

Here is the file I used as an example:


<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>my.project</groupId>
  <artifactId>test</artifactId>
  <version>1.0.0</version>
  <packaging>jar</packaging>

  <dependencies>
    <dependency>
        <groupId>commons-validator</groupId>
        <artifactId>commons-validator</artifactId>
        <version>1.5.1</version>
      </dependency>
  </dependencies>
  
</project>

2. Run mvn dependency:tree on this file. You should see the commons-beanutils:commons-beanutils:jar:1.9.2:compile and commons-logging:commons-logging:jar:1.2:compile packages listed as dependencies of the commons-validator:commons-validator package.

Output:

[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------------< my.project:test >---------------------------
[INFO] Building test 1.0.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- dependency:3.6.0:tree (default-cli) @ test ---
[INFO] my.project:test:jar:1.0.0
[INFO] \- commons-validator:commons-validator:jar:1.5.1:compile
[INFO]    +- commons-beanutils:commons-beanutils:jar:1.9.2:compile
[INFO]    +- commons-digester:commons-digester:jar:1.8.1:compile
[INFO]    +- commons-logging:commons-logging:jar:1.2:compile
[INFO]    \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.485 s
[INFO] Finished at: 2023-12-26T19:52:30-05:00
[INFO] ------------------------------------------------------------------------

3. Execute trivy fs --format cyclonedx --scanners vuln .

4. In the dependencies section find the ref for commons-validator:commons-validator (pkg:maven/commons-validator/[email protected]). You will notice in the dependsOn section that the refs for commons-beanutils:commons-beanutils and commons-logging:commons-logging aren't listed. These are the same packages present as dependencies in step 2 and in the link to the pom.xml file in the Description section.

Output snippet for the commons-validator:commons-validator ref (full output shown below in the Debug Output section:

{
  "ref": "pkg:maven/commons-validator/[email protected]",
  "dependsOn": [
    "pkg:maven/commons-collections/[email protected]",
    "pkg:maven/commons-digester/[email protected]"
  ]
}

Target

Filesystem

Scanner

Vulnerability

Target OS

macOS Sonoma 14.0

Debug Output

2023-12-26T19:45:36.022-0500    DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-12-26T19:45:36.023-0500    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-26T19:45:36.024-0500    DEBUG   Ignore statuses {"statuses": null}
2023-12-26T19:45:36.074-0500    DEBUG   cache dir:  /Users/my-user/Library/Caches/trivy
2023-12-26T19:45:36.076-0500    DEBUG   DB update was skipped because the local DB is the latest
2023-12-26T19:45:36.076-0500    DEBUG   DB Schema: 2, UpdatedAt: 2023-12-27 00:15:45.318442686 +0000 UTC, NextUpdate: 2023-12-27 06:15:45.318442305 +0000 UTC, DownloadedAt: 2023-12-27 00:34:40.507258 +0000 UTC
2023-12-26T19:45:36.078-0500    INFO    Vulnerability scanning is enabled
2023-12-26T19:45:36.078-0500    DEBUG   Vulnerability type:  [os library]
2023-12-26T19:45:36.079-0500    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2023-12-26T19:45:36.083-0500    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-12-26T19:45:36.084-0500    DEBUG   Walk the file tree rooted at '.' in parallel
2023-12-26T19:45:36.094-0500    DEBUG   Resolving commons-validator:commons-validator:1.5.1...
2023-12-26T19:45:36.096-0500    DEBUG   Start parent: org.apache.commons:commons-parent:39
2023-12-26T19:45:36.100-0500    DEBUG   Start parent: org.apache:apache:16
2023-12-26T19:45:36.103-0500    DEBUG   Exit parent: org.apache:apache:16
2023-12-26T19:45:36.103-0500    DEBUG   Exit parent: org.apache.commons:commons-parent:39
2023-12-26T19:45:36.103-0500    DEBUG   Resolving commons-digester:commons-digester:1.8.1...
2023-12-26T19:45:36.104-0500    DEBUG   Start parent: org.apache.commons:commons-parent:11
2023-12-26T19:45:36.107-0500    DEBUG   Start parent: org.apache:apache:4
2023-12-26T19:45:36.108-0500    DEBUG   Exit parent: org.apache:apache:4
2023-12-26T19:45:36.108-0500    DEBUG   Exit parent: org.apache.commons:commons-parent:11
2023-12-26T19:45:36.108-0500    DEBUG   Resolving commons-collections:commons-collections:3.2.2...
2023-12-26T19:45:36.109-0500    DEBUG   Start parent: org.apache.commons:commons-parent:39
2023-12-26T19:45:36.109-0500    DEBUG   Exit parent: org.apache.commons:commons-parent:39
2023-12-26T19:45:36.160-0500    DEBUG   OS is not detected.
2023-12-26T19:45:36.161-0500    DEBUG   Detected OS: unknown
2023-12-26T19:45:36.161-0500    INFO    Number of language-specific files: 1
2023-12-26T19:45:36.161-0500    INFO    Detecting pom vulnerabilities...
2023-12-26T19:45:36.161-0500    DEBUG   Detecting library vulnerabilities, type: pom, path: pom.xml
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:d671e060-c6cb-4a1b-ab94-593be1dc8ae3",
  "version": 1,
  "metadata": {
    "timestamp": "2023-12-27T00:45:36+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.48.1"
      }
    ],
    "component": {
      "bom-ref": "029474bc-bca2-4974-95bc-96d33202f8e1",
      "type": "application",
      "name": ".",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "3e6ea725-3ee6-4566-b21c-88bce912394e",
      "type": "application",
      "name": "pom.xml",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/commons-collections/[email protected]",
      "type": "library",
      "name": "commons-collections:commons-collections",
      "version": "3.2.2",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/commons-collections/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "commons-collections:commons-collections:3.2.2"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/commons-digester/[email protected]",
      "type": "library",
      "name": "commons-digester:commons-digester",
      "version": "1.8.1",
      "licenses": [
        {
          "license": {
            "name": "The Apache Software License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/commons-digester/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "commons-digester:commons-digester:1.8.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/commons-validator/[email protected]",
      "type": "library",
      "name": "commons-validator:commons-validator",
      "version": "1.5.1",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/commons-validator/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "commons-validator:commons-validator:1.5.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/my.project/[email protected]",
      "type": "library",
      "name": "my.project:test",
      "version": "1.0.0",
      "purl": "pkg:maven/my.project/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "my.project:test:1.0.0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "029474bc-bca2-4974-95bc-96d33202f8e1",
      "dependsOn": [
        "3e6ea725-3ee6-4566-b21c-88bce912394e"
      ]
    },
    {
      "ref": "3e6ea725-3ee6-4566-b21c-88bce912394e",
      "dependsOn": [
        "pkg:maven/commons-validator/[email protected]",
        "pkg:maven/my.project/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/commons-collections/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/commons-digester/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/commons-validator/[email protected]",
      "dependsOn": [
        "pkg:maven/commons-collections/[email protected]",
        "pkg:maven/commons-digester/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/my.project/[email protected]",
      "dependsOn": [
        "pkg:maven/commons-validator/[email protected]"
      ]
    }
  ],
  "vulnerabilities": []
}

Version

Version: 0.48.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-27 00:15:45.318442686 +0000 UTC
  NextUpdate: 2023-12-27 06:15:45.318442305 +0000 UTC
  DownloadedAt: 2023-12-27 00:34:40.507258 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @ishapirovArnica
Thanks for your report!

I created #5827 for this task.

Regards, Dmitriy